This is difficult to explain, so bear with me.
We have 2 domain controllers, each multi-homed to straddle 2 internal subnets, (subnet A and subnet B) and provide dns, dhcp, and ldap authentication.
Both domain controllers each have 2 DNS entries. both entries have identical host names, but correspond to subnet A & subnet B respectively (example entries shown):
dc1 host 192.168.8.1
dc1 host 192.168.9.1
dc2 host 192.168.8.2
dc2 host 192.168.9.2
We also have a 3rd subnet for our dmz, (subnet C) which neither domain controller has an IP address on, but our firewall/routing tables provide access to subnet A from subnet C and vice versa, but don't allow access to subnet B from subnet C.
Here's my issue. How can I force/determine which dns entry is used when a server on subnet C queries either domain controller by host name? Right now it seems to randomly pick one of the two entries, swaps out the name for the IP address and that's that.
The problem is if it randomly selects the entry that corresponds to the 9.x subnet B (no access from subnet C), then the server fails to resolve. If it picks the entry for the 8.x subnet A then it resolves (firewall/routing tables defined for communication between these 2 subnets)
Here's what I'd like to know:
- What are Best Practices (if any) for dealing with DNS resolution on subnets that the DNS servers don't have a presence on?
- Can I control something akin to a metric value to force an order of DNS resolution when there are multiple entries for the same host name that correspond to different IP subnets?
- Should I even have 2 DNS HOST entries for the same name?
Here's what I'd like to avoid:
- Making edits to the HOSTS files of servers on subnet C to force DNS resolution of the hostname to the appropriate subnet
- Adding NIC's to the DC's to have them straddle the DMZ as well, thus obtaining a third DNS entry that corresponds to subnet C
Again, my apologies if this was too verbose / unclear.
Thanks!
At the risk of not answering your question - I don't understand the need to multihome your DCs - just put them on their own subnet (VLAN is better) which is routable from any subnet that needs it. This avoids the split DNS issue completely.
I agree with @Ed Fries' comment about setting up sites - this was my initial thought as well - if you had to keep the same network topology then it is perhaps a suitable way of doing things.
Still ditching the multi homing would be my preferred (and as Ed points out MS's recommended) method.
I suspect the OP's multi-home setup is an attempt to resolve issues with either DHCP or Wins.